SWIFT Compliance Forum, Hong Hong (English Session)

SWIFT Compliance Forum,Hong Kong

29 April 2016

Andrew Burlison, Head Of Compliance Solutions APAC, SWIFT

Alicia Wong, Compliance Services Consultant, Asia Pacific, SWIFT

2

Agenda

KYC Registry updates

SWIFT Compliance portfolio updates

Sanction Testing – How to reduce false hit rate, identify false negative & adjust threshold to the optimised level?

FATF 16 – Payment Data Quality

RMA Analysis – How to manage RMA relationship, and identify high risk RMA?

Compliance Analytics – How to identify nested activities, and continuous monitoring of SWIFT message

KYC Registry Update:• Updated number of KYC Registry contributors until end of

March 2016:Global: over 2,400 banksAsia Pacific: over 640 banksGreater China Region: over 240 banksHong Kong: over 70 banks

3

SWIFT Compliance PortfolioSWIFT Compliance Services: Function:

1) KYC Registry Correspondent Bank Platform

2) RMA Analysis RMA analysis & clean-up

3) Sanction Screening Message Screening

4) Sanctions Testing Screening system testing

5) Compliance Analytics Swift message continuous monitoring

UP-COMING SERVICES:6) List Management Service Sanction list database

7) FATF16 Data Quality FATF16 wire transfer requirement

8) Name Screening Service Customer screening system

4

SANCTIONS TESTING

Sanctions Testing puts you in control

How effective is my filter?

How does my filter mitigate

my risks?

How can I manage match rates?

In the unlikely event of a sanction violation

• Sanctions filters mitigate business risk of low frequency but high impact events

• Irrespective of the likelihood of a sanctions violation, businesses have an obligation to ensure that sanctions controls work

• Sanctions testing ensures that your filter will operate in alignment with your risk policy

• Many sanctions filters are rarely tested

Sanctions Testing

Effectiveness

Efficiency

• Effectiveness: Meets regulatory demands and manages reputational risk

• Efficiency: Manages screening costs and resources

• Coverage: Improves filter coverage and ensures alignment to compliance policy and risk appetite

Common issues identified through testing:

• Outdated lists• Missing entry types• Missing entries• Language variants

not screened correctly• Deleted records still

screened

Sanctions ListsQuality

• List scope incorrect or not aligned with bank policy

• Inconsistent implementation across filters

• Entity and alias types screened unnecessarily

ScreeningPolicy

• Inconsistent screening performance across message types

• Message or file elements not screened properly

• Overreliance on specific fields (e.g. address or country)

Message Types

• Poor fuzzy matching performance

• Line break, word order, sequences

• Poor performance against particular entries (short or long names, aliases)

• Character set matching issues

FilterWeakness

Sanctions Testing – 2015 – Confidentiality: Public

Test For Exact Matches Coverage of EU ListImpact of Filter Threshold


Graphical view of filter fuzzy performance across all derivations

applied


Test For Exact Matches Coverage of EU ListImpact of Filter Threshold

Cases missed due to the "ampersand"

Cases missed due to length of Name

Formats

Settings

Lists

Automate • Repeat • Compare • Monitor

Sanctions Testing processDefinetest objective

Downloadtest files

Processtest files

Uploadhit results

Viewtest results


Third Party Assessment Report

Standard Services• Standard report and assessment

approach• Workshop & findings• Considers performance of your own

filters

Effectiveness• Provides assurance that you filter is

working• Captures Risk appetite• Understand fuzzy performance

Efficiency• Identifies opportunities for

efficiencies / cost reduction• Quick win efficiency improvements


Peer Assessment Reports


Exact MatchHow does

my filter compare?

Peer Upper Range

Peer Lower Range

Fuzzy Performance

Institution

Comprehensive•Standard report and assessment approach

•Multiple peer performance dimensions

Helps you understand•Relative performance•Policy and technical implementation•Risk appetite

SWIFT community•Developed by and created for the SWIFT community

•Industry best practice•Contribution basis

Am I in the safe-zone?

Understanding the evolving regulations around Payment Data Quality

Andrew Burlison, Head Of Compliance Solutions APAC, S.W.I.F.T

• What is are the new FATF 16 recommendation and EU Funds transfer regulation?

• What do they mean for you as a global institution?

• How might they affect your business moving forward?

• What steps can you take today to prepare for these changes, ensure compliance and mitigate compliance-related cost and risk?

FATF 16 recommendation16. Wire transfers *Countries should ensure that financial institutions include required and accurate originatorinformation, and required beneficiary information, on wire transfers and related messages,and that the information remains with the wire transfer or related message throughout thepayment chain.Countries should ensure that financial institutions monitor wire transfers for the purpose ofdetecting those which lack required originator and/or beneficiary information, and takeappropriate measures.Countries should ensure that, in the context of processing wire transfers, financial institutionstake freezing action and should prohibit conducting transactions with designated persons andentities, as per the obligations set out in the relevant United Nations Security Councilresolutions, such as resolution 1267 (1999) and its successor resolutions, and resolution1373(2001), relating to the prevention and suppression of terrorism and terrorist financing.

FATF 16 – In Detail Ordering financial institution11. The ordering financial institution should ensure that qualifying wire transfers contain required and accurate originator information, and required beneficiary information.12. The ordering financial institution should ensure that cross-border wire transfers below any applicable threshold contain the name of the originator and the name of the beneficiary and an account number for each, or a unique transaction reference number.13. The ordering financial institution should maintain all originator and beneficiary informationcollected, in accordance with Recommendation 11.14. The ordering financial institution should not be allowed to execute the wire transfer if it doesnot comply with the requirements specified above.

Intermediary financial institution15. For cross-border wire transfers, financial institutions processing an intermediary element of such chains of wire transfers should ensure that all originator and beneficiary information that accompanies a wire transfer is retained with it16. Where technical limitations prevent the required originator or beneficiary information accompanying a cross-border wire transfer from remaining with a related domestic wire transfer, a record should be kept, for at least five years, by the receiving intermediary financial institution of all the information received from the ordering financial institution or another intermediary financial institution.17. An intermediary financial institution should take reasonable measures to identify crossborder wire transfers that lack required originator information or required beneficiary information. Such measures should be consistent with straight-through processing.18. An intermediary financial institution should have effective risk-based policies and procedures for determining: (i) when to execute, reject, or suspend a wire transfer lacking required originator or required beneficiary information; and (ii) the appropriate follow-up action.

Beneficiary financial institution19. A beneficiary financial institution should take reasonable measures to identify cross-border wire transfers that lack required originator or required beneficiary information. Such measures may include post-event monitoring or real-time monitoring where feasible.

MAS Notice 626 (Last revised on 30 November 2015 )

PREVENTION OF MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM - BANKS Cross-border Wire Transfers Exceeding S$1,500 11.5 In a cross-border wire transfer where the amount to be transferred exceeds S$1,500, every bank which is an ordering institution shall include in the message or payment instruction that accompanies or relates to the wire transfer the information required by paragraph 11.4(a) to 11.4(d) and any of the following:

(a) the wire transfer originator’s

(i) residential address; or (ii) registered or business address, and if different, principal place of business, as may be appropriate;

(b) the wire transfer originator’s unique identification number (such as an identity card number, birth certificate number or passport number, or where the wire transfer originator is not a natural person, the incorporation number or business registration number); or (c) the date and place of birth, incorporation or registration of the wire transfer originator (as may be appropriate).

As well as the name of the wire transfer beneficiary; and the wire transfer beneficiary’s account number

EU Funds transfer regulation· The Funds Transfer Regulation (Reg 2015/847) will repeal the existing wire transfer regulation (Reg 1781/2006) and

extend its scope. The fourth EU AML Directive takes effect from June 2017· New requirements for effective procedures at intermediary banks to detect and handle missing/incomplete payer/payee

information.20

15 R

egul

atio

n20

17 im

plem

enta

tionBank of Sender Intermediary Bank Bank of Receiver

2015

Reg

ulat

ion

2017

impl

emen

tatio

n

Provide sender’s name, address and account number in payment

· Transmit sender data to the next bank in the payment chain

· Review payments for presence of complete sender data

· Request missing sender data

· Escalate banks repeatedly sending messages without complete sender data

2006

R

egul

atio

n20

15 R

egul

atio

n20

17 im

plem

enta

tion

· Establish ex-post or real time procedures to detect lacking complete sender/receiver information

· Establish risk based procedures to execute, reject or suspend a funds transfer lacking the required information

· Request missing payer or receiver data· Escalate banks repeatedly sending payments

lacking required data

· Transmit all payment data to the next bank

· Establish ex-post or real time procedures to detect lacking complete sender/receiver information

· Request missing sender data

· Escalate banks repeatedly sending messages without complete payer data

· Establish risk based procedures to execute, reject or suspend a funds transfer lacking the required information

· Provide receiver’s name and account number in payment

· Provide sender’s name, address and account number in payment

Banks Located Outside the EU· Funds transfers paid into or through the EU require full payer and payee details· Transactions with missing or incomplete details may be rejected or delayed· Banks need to be prepared to handle increased investigation volumes when regulation comes into force in June 2017

Case Studies

21

Penalty and Remediation (20 listed points):“XXXNY Can no longer open a U.S. dollar demand deposit account without prior approval from the DFSRegarding “affiliate U.S. dollar clearing transactions” defined as(a) a payment originated from the account of a customer held at a non-U.S. XXX branch or majority-

owned subsidiary, and(b) in an amount of $3,000.00 or more, the following will apply:

• Originator Identity Information: XXX affiliates provide the identity (name and address, including country) of the originator with respect to all such transactions.

• Beneficiary Identity Information: XXX affiliates provide any beneficiary identification information received with the transaction instruction with respect to all such transactions”

5th of February 2015, Societe Générale sent a “Broadcast” message advising that as of the 1 st of April any credit transfers which have a link with the united states (transfers in USD and transfers in any other currency to be processed by a bank in the U.S. shall contain the ordering and beneficiary customers' full data:- account number of both the ordering and the beneficiary customers,- full name of both the ordering and the beneficiary customers,- complete address of both the ordering and the beneficiary customers.

Also stated in this Broadcast is that “any credit transfers listed above which will not contain the full data required will be cancelled. the cancellation will be notified as soon as possible by swift message.”

What does it mean for you as a global institution?

• Understand presence and quality of originator and beneficiary information in your SWIFT and other payment messages

• Verify whether this data meets regulatory requirements in line with FATF Recommendation 16

• Use reporting and notifications to assess and improve your own data quality and take appropriate measures with counterparties to ensure compliance

S.W.I.F.T Scope of messages being monitored• MT103, MT202COV, MT205COV • Inbound and outbound flows • All entities belonging to your financial group

Other payment types to consider • Fedwire• Chips• Any other cross border payment

FATF Requirements

50: Originator information Originator name present Account number of originator Address OR; National identity number OR; Customer identification number OR; Date and place of birth

59: Beneficiary information Beneficiary name present Account number of beneficiary

Scenario: Swift MT103 international payment

Sender’s BIC:MT:Receiver’s BIC:

Sender’s reference Bank Operation CodeValue date/currency/Interbank Settled amount Currency/instructed Amount Exchange rateOrdering Customer

Ordering InstitutionBeneficiary InstitutionBeneficiary Customer

Remittance Information Details of charges Sender’s charges

BANKUS33103BROMUS33

:20:CCT6781630:23B:CRED:32A:141215USD57276,12

:33B:EUR62500,:36:0,9165 :50A:/987456321AMERCHZ1

:52A:UBSWCHCZ:57A:BROMITRD:59:/IT66578675674585687 GIOVANNI EXPORT PIAZZA VENEZIA 44IT-00187 ROMA:70:/INV/QSD675:71A:SHA:71F:USD5,

Example Message

Party identifier

• Empty value • Presence account

number• Account number

length (parameter)• IBAN• Valid IBAN• Cheque

Name

• Empty value• Name length

(parameter)• Number of

consecutive repetitive characters (parameter)

• Presence of CCC• Characters present in

dummy list• Cheque

Address and additional info

• Address length (parameter)

• Number of consecutive numerical / alphabetical repetitive characters (parameter)

• Characters present in dummy list

• 50F presence of alternative address info

Country

• No country in all lines• Country line filled out

(truncation)• Characters present in

dummy list• Country present in

acceptable synonym list

Other

• Use of field option (structured or free format)

• Country of domicile of originator / beneficiary matches country of originator / beneficiary bank

Automated Monitoring, how do you check for Data Quality?

Various Elements that you may want to check using an automated solution

What are the additional benefits of improving payment data quality with an automated tool?

• Improved STP

• Improved outcomes on your sanctions screening

• Reducing false positives

• Quicker remediation

• Therefore reducing cost

• AML Transaction Monitoring

• Enhanced controls and understanding of payment transactions

• Monitor centrally to drive consistency at reaching a global standard throughout your institution

SummaryThe time is now to understand what risk the new regulations mean for your Financial Institution

First step is to understand how many of the payments whether you be the Sender, Intermediary, or Receiver of the payment meet or fall short of the new requirements.

Take steps to put in place an automated monitoring tool to detect and identify which of your counterparties are serial offenders

Start planning on systems and processes that will reject payments that do not meet the new regulation guidelines.

Use this compelling event to bring a business benefit to your institution by enhancing your payment practices.

Q&A

RMA Analysis and Clean-up as an Enabler of Compliance

Alicia Wong, CPASWIFT | Compliance Services Consultant+85 2 2107 [email protected]

Manage your RMA relationships & identify high risk RMAs

RMA analysis and review 29

What is RMA? Why is it relevant to you?

RMA (Relationship Management Application) is a SWIFT mechanism to control the traffic you want to accept from your correspondents and vice-versa.

De-risking? RMA is first line of defense!

RMA Best Practice̶V RMA Standard Operating Procedures̶V RMA Analysis̶V RMA Clean-up services

30

The Benefits of adopting RMA Best Practice:

Better understand Correspondent Banking RelationshipsFind out dormant/unused RMAs to reduce compliance cost & risks Avoid Unwanted / Unexpected Traffic

31

What do you need to know about your Correspondent Banks?

How many RMAs do I have?

When was the RMAs created?

Are they located in high risk countries?

Who are their parent banks?

How often do I do business with them?

What are the messages types exchanged?

What is the volume of messages exchanged?

What is the value of the messages exchanged?

Risk assessment High Risk RMAs

32


Better understand Correspondent Banking RelationshipsFind out dormant/unused RMAs to reduce compliance cost & riskAvoid Unwanted / Unexpected Traffic

33

Est. >45%DORMANT & UNUSED RMA relations

34

Find out Dormant/Unused RMAs to reduce cost of compliance

Costs of Compliance

HKMA No. 3.3 Guideline on Anti-Money Laundering and Counter-Terrorist Financing (Revised in March 2015) –

35


Better understand Correspondent Banking RelationshipsFind out dormant/unused RMAs to reduce compliance cost & risks Avoid Unwanted / Unexpected SWIFT Messages

36

RMA Best Practice

2nd RMA Analysis

3rd RMA Clean-up

1st Standard Operating Procedures

37

Step 1: Setup Standard Operating Procedures

How to create new correspondent banking relations?

High risk counter-party?

A case assigned to RMA Manager

No

Yes

Senior Management

Approval

Due Diligence

Business justification

Senior Management

Approval

Due Diligence

SWIFT Compliance Consulting Services

RMA Authorisations Tasks• Create • Close • On-going monitoring

Responsibility Assignment Matrix• Who is responsible?• Who is accountable?• Who is consulted?• Who is informed?

Controls


Step 2: Conduct RMA Analysis

Link with FIN authenticated

transactions to define the RMA status

• Three possible statuses:• Active• Dormant• Unused

Remove list of identified RMA’s

automatically from your interface

• Process and assistance to facilitate the bulk removal of selected unused RMA relationships

Data Collection

RMA Analysis

RMA Clean-up

Overview of existing RMA’s inbound and

outbound

• Institution provides the list of RMA in XML

• Workshop implementation best practices

Key Findings Review

Key findings

• List “hot items” among RMA correspondence (overview of usage with details at BIC level)

BusinessEvaluation

Optional1 2


Identify the status of RMA relations

Objective: identify latest month during which traffic was exchanged with counterparty and derive status of the RMA using only authenticated traffic.

Traffic exchanged since creation

No

Yes

Not in recent 12 months

In recent 12 months

Unused

Dormant

Active

Hot items


Step 2: Conduct RMA Analysis







Data Collection

RMA Analysis

RMA Clean-up


outbound



Key Findings Review

Key findings

• List “hot items” among RMA correspondence + Business Intelligence

BusinessEvaluation

Optional1 2 3


Step 2: RMA Analysis Sample Report

2. Located in high risk countries?

3. Who are the parent banks?

4. How often do I do business? 5. What types

of business relationships?

1. How many RMAs I have?

Additional business intelligence: granularity of messages types, volume and value of messages exchanged


Step 3: RMA Clean-up Services







Data Collection

RMA Analysis

RMA Clean-up


outbound



Key Findings Review

Key findings

• List “hot items” among RMA correspondence (overview of usage with details at BIC level)

BusinessEvaluation

Optional1 2 3 4

• Analyse RMA answer messages

• Adapt list of RMA authorisations to be removed if necessary

43

Step 3: RMA Clean-up Services

Kick-off meeting

List of authorisation

Analysis of Answers

Query generation

1 2 3 4

RMA clean-up

• Decide list of authorisations “to be deleted”

• Identify scope

• Clarify responsibilities

• Create an RMA Query message for each “unwanted” RMA authorisations to check importance of relations

• Remove “unwanted” RMA authorisations

5

Q&A

Compliance Analytics

Sharpen oversight of financial crime related risk

46

Identify hidden relationships in payment flows – Receiving Banks

Originating Institution – Country

Counterparty = Sender - Country

Your Bank = Receiver

Beneficiary institution - Country

Direct Relationships

Indirect Relationships

HKBANKHKHH

AUBANKAUXX

MMBANKMM01

MMBANKMMYY

47

Identify hidden relationships in payment flows – Sending Banks

Originating Institution - Country

Your bank = Sender

Counterparty = Receiver - Country

Beneficiary institution - Country



HKBANKHKHH

AUBANKAUXX

MMBANKMM01

MMBANKMMYY

48

What is Compliance Analytics?

Risk Monitoring Tool

Collaborate major FIs

Cloud based solution

Traffic on SWIFT

network

Identify hidden relation-ships

Events triggered Alerts

SWIFT Consulting & Support

Detecting unusual patterns, policies breach

49

How Compliance Analytics can help banks to manage their Financial Crime Risks?

1. Global view – Am I the last man standing in a corridor?

• Your bank’s message data (value & volume) in different countries (inbound & outbound)• SWIFT total traffic data of a particular corridor (inbound & outbound)• Business evaluation • Risk assessment

Messages from Myanmar by volume and value Activity share (Corridor: messages from Myanmar to HK)

Your bank’s total

SWIFT’s total

Activity share trend?1. Peers withdrawal?2. Aggressive

expansion?

Activity share: 45%

• Understand the business operations in different countries• Detecting irregular trends, outliers, policies breach• Any high risk countries involved?

1. Global view – Business Overview by Countries

1. High value from a particular country?

2. Any irregular trends? 3. Any high risk

countries involved?

No. of MT103 Monthly Evolution received from Myanmar

There is substantial increase in Dec & Jan, further investigation!

1. Global view – Business Overview by Branches

• Better control over transaction activity by branches• Any high risk countries involved?• Collateral for monitoring, no need to gather information from branches separately and consolidate

1. Transaction activity by country

2. Collateral for monitoring

3. For branches to report to HQ/regulators

53


2. Country Risk Assessment – Who are my Major Counterparties?

• Who are my major counterparties in Myanmar by value or by volume?• Identify irregular trends

1. Low volume but high value

Counterparties Rank by Value

2. Breakdown for checking for irregular trends

2. Country risk assessment – identify high risk corridor

• Identify the originating & beneficiary countries to find out hidden relationship • Obtain good insights on nested relationships which banks are difficult to identify• Identify irregular flows and compliance beaches

USA BANKHKHH

USA 20%Myanmar 18%Russia 15%Sudan 5%Others…

HK 50%USA 20%Myanmar 13%Sudan 5%Others…



Originating country (Field 52)

Sender = CounterpartyCountry

Your bank Beneficiary country (Field 57)

56


3. Counterparty Risk Assessment – identify high risk transactions

High % of non-structured option?Option D: free format CORRUS33

Your bank =BANKHKHK

High % of non-structured option?Option D: free format

• Identify which counterparty is exposing you to high risk business by looking into the originating and beneficiary countries

• Is there any banks sending you messages indirectly through your counterparties?

Originating institution (Field 52)

Sender = Counterparty

Your bank Beneficiary institution(Field 57)



3. Counterparty Risk Assessment

• In-depth investigation on high risk transactions• Leverage the transaction reference for payment details

BANKHKHH Russia Empty FieldBANKUS33Myanmar BANKMM33 n/a Myanmar DEMOMM2L

Drill down to transaction details

Originating country (Field 52)

Sender = Counterparty

Your bank Beneficiary country (Field 57)

BANKMM33 BANKUS33USA

Your bank BANKHKHK

DEMOMM2L

59

What other values can it bring?

RMA Analysis by branches & by countries

Events driven alerts

Fine tune transaction monitoring tool


• Better manage correspondent risks• Identify unused & dormant RMAs by branches and by countries

超過一半的 RMA 都是閒置跟從未啟動的Over half of the RMAs are dormant & unused

Identify unused & dormant RMAs by branches

RMA Analysis by branchesStatus of Inbound RMAs Status of Outbound RMAs

61





Fine Tune Transaction Monitoring Tool

• Analyse traffic data for adjusting transaction monitoring threshold• Improve effectiveness for transaction monitoring purpose

>80% les than USD10k good indicator for setting threshold

% message received by value buckets by Counterparty Country

63





Events Driven Alerts• Any interactions with countries with sanctions?• Any new RMAs created with counterparties located in countries with sanctions?• RMAs suddenly active• Fast growing counterparties• Market share exceeds a certain %

Any transactions with countries with sanctions last month?

1. New RMAs with countries with sanctions2. RMA suddenly active

Fast growing counterparties

Customer defined alerts

Q&A

Thank you!

For more information ： www.swift.com/complianceanalytics [email protected]

http://www.swift.com/complianceanalytics

mailto:[email protected]

Presentations & Public Speaking

SWIFT Compliance Forum, Hong Hong (English Session)